This is not a sophisticated scam. However, it is an effective and profitable one and it happens to an increasing number of companies across America each year around tax time.
Tax season is here. Are you safe? That seems like an odd question to ask; nevertheless, with the increasing sophistication of cybercriminals it must be considered and answered.
With tax season upon us, cybercriminals have yet another way to exploit gaps in the technology security. For many, the answer to security threats that are technology-based is to throw money at the problem. That money is spent on new hardware and software intended to keep bad actors at bay. However, the gap in security most often overlooked is employee education and the adoption of simple internal operating procedures.
The category of cybercrime discussed in this blog post is called a "social engineered attack.” In these types of attacks, criminals seek to take advantage of our predispositions as human beings — as normal everyday corporate citizens — and use them against us. For example, whether we work in a small business or a globe-spanning corporation, when our boss or someone in a senior leadership position asks for something, we know we should take quick action to satisfy the request. Most people act quickly without even thinking. And, in a workplace where communication frequently occurs using email or messaging software, there often is no face-to-face or verbal conversation.
These two things: Our behavioral training within a corporate structure and the lack of face-to-face and/or verbal communication are the vectors used by criminals to inflict millions of dollars of damage on employees and businesses every day.
One of the most amazing aspects of the attack is that it is not sophisticated and does not involve the Hollywood-style of computer hacking depicted in the movies.
Here’s just one example of how this scam works:
- A cybercriminal scans a company website to determine who the senior leadership team is (business owners, presidents, CEOs)
- The cybercriminal places calls into the company to determine names of key people in human resources and finance departments
- The cybercriminal sets up a fake email address using the real name of the most senior people in the company
- The cybercriminal sends email messages to the key people in the human resources and finance departments requesting a list of IRS W-2 filing data that is being prepared for all employees
- The human resource or finance department people receive this message, respond to the email, and provide the data as requested
The problem is that the requested information has not been sent to the company leader and has instead been delivered to a cybercriminal. What is their next step? Filing fraudulent tax records that generate returns. Those returns are then sent to temporary bank accounts where the money is withdrawn almost immediately.
Companies and employees often don’t find out about the problem until weeks later when they file their personal tax forms and are notified by the IRS that they are filing in duplicate and that there is a problem — often a large problem that can have serious financial consequences.
Think about this scenario for a moment... This is not a sophisticated scam. However, it is an effective and profitable one and it happens to an increasing number of companies across America each year around tax time. Accenture Security’s 2019 “The Cost of Cybercrime” annual report indicates that the number of organizations that reported experiencing phishing and social engineering attacks increased 16% year over year.
The good news? This type of threat can be minimized. The bad news? This is only one example of an effective social-engineered attack and there are many, many others that are just as effective and just as damaging.
Let’s discuss the good news first.
There are immediate steps that can be put in place to minimize the risk faced by both companies and employees alike. More good news? Some of these steps involve the adoption of simple operational procedures and employee training and do not require the acquisition of expensive computer servers and other hardware.
For example, meet with human resource and financial department teams and instruct them that for certain categories of requests from senior leadership, an immediate response should NOT be implemented. Instead, the next step should be a telephone call to a known internal number or an in-person visit to confirm the executive request. Once confirmed, the request can be fulfilled.
For help with the bad news (the bad news being that this is not the only means of using social engineering for attacks on employees and companies), contact Datamax for a free security training session created specifically for business people that is free of geek speak and that can be delivered either onsite using traditional presentation methods or virtually with an Internet-based webinar.*
Remember, tax season is here. Are you safe? To speak further about security training at your organization, click below!
*Depending on location, travel fees may apply